←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 5 comments | 30 Mar 25 19:54 UTC | HN request time: 1.468s | source
1. ashishb ◴[31 Mar 25 03:03 UTC] No.43530439[source]
I am getting more and more convinced that CI and CD should be completely separate environments. Compromise of CI should not lead to token leaks related to CD.
replies(2): >>43530510 #>>43540155 #
2. mdaniel ◴[31 Mar 25 03:13 UTC] No.43530510[source]
This area is near and dear to my heart, and I would offer that the solution isn't to decouple CD over into its own special little thing but rather to make the CD "multi factor" in that it must be "sub":"repo:octo-org/octo-repo:environment:prod"[1] and feel free to sprinkle in any other [fun claims][] you'd like to harden that system

1: https://docs.github.com/en/actions/security-for-github-actio...

fun claims: https://github.com/github/actions-oidc-debugger#readme

replies(1): >>43531158 #
3. ashishb ◴[31 Mar 25 04:44 UTC] No.43531158[source]
Doable but I would prefer a complete isolation for simplicity.
replies(1): >>43532097 #
4. thund ◴[31 Mar 25 07:15 UTC] No.43532097{3}[source]
there are ways to isolate code from CI from CD, it's just not as easy as setting up the classic repo. One can use multiple repos for example, or run CI and CD with different products.
5. nrvn ◴[31 Mar 25 21:25 UTC] No.43540155[source]
This is essentially how separation of duties(and concerns) looks like. And this is how some of the good examples of projects work. Specific techniques and tooling and specific boundaries of CI and CD vary depending on the nature of the end product but conceptually you are absolutely right.